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Abstract 

We  consider  a  parallel  Algol-like  language,  combining  procedures  with 
shared-variable  parallelism.  Procedures  permit  encapsulation  of  common 
parallel  programming  idioms.  Local  variables  provide  a  way  to  restrict  in¬ 
terference  between  parallel  commands.  We  provide  a  denotational  semantics 
for  this  language,  simultaneously  adapting  “possible  worlds”  [Rey81,  01e82] 
to  the  parallel  setting  and  generalizing  “transition  traces”  [Bro93]  to  the 
procedural  setting.  This  semantics  supports  reasoning  about  safety  and  live¬ 
ness  properties  of  parallel  programs,  and  validates  a  number  of  natural  laws 
of  program  equivalence  based  on  non-interference  properties  of  local  vari¬ 
ables.  The  semantics  also  validates  familiar  laws  of  functional  programming. 
We  also  provide  a  relationally  parametric  semantics,  generalizing  [Bro93] 
to  permit  reasoning  about  relation-preserving  properties  of  programs,  and 
adapting  work  of  O’Hearn  and  Tennent  [OT95]  to  the  parallel  setting.  This 
semantics  supports  standard  methods  of  reasoning  about  representational 
independence,  adapted  to  shared-variable  programs.  The  clean  design  of 
the  programming  language  and  its  semantics  supports  the  orthogonality  of 
procedures  and  shared-variable  parallelism. 


1  Introduction 

The  programming  language  ALGOL  60  has  had  a  major  influence  on  the 
theory  and  practice  of  language  design  and  implementation  [OT97].  ALGOL 
shows  how  to  combine  imperative  programming  with  an  essentially  functional 
procedure  mechanism,  without  destroying  the  validity  of  laws  of  program 
equivalence  familiar  from  functional  programming.  Moreover,  procedures 
and  local  variables  in  ALGOL  can  be  used  to  support  an  “object-oriented” 
style  of  programming:  an  abstract  “object”  can  be  represented  by  a  collection 
of  local  variables  together  with  procedures  or  “methods”  used  to  read  or  write 
them.  Although  ALGOL  itself  is  no  longer  widely  used,  an  idealized  form 
of  the  language  has  stimulated  a  great  deal  of  innovative  research  [OT97]. 
Idealized  Algol,  as  characterized  by  John  Reynolds  [Rey81],  augments  a  sim¬ 
ple  sequential  imperative  language  with  a  procedure  mechanism  based  on 
the  simply-typed  call-by-name  A-calculus;  procedure  definitions,  recursion, 
and  the  conditional  construct  are  uniformly  applicable  to  all  phrase  types. 
Reynolds  identified  these  features  as  embodying  the  “essence”  of  Algol. 

ALGOL  60  and  Reynolds’  Idealized  Algol  are,  of  course,  sequential  pro¬ 
gramming  languages.  Nevertheless  the  utility  of  procedures  and  local  vari¬ 
ables  is  certainly  not  limited  to  the  sequential  setting.  Nowadays  there  is 
much  interest  in  parallel  programming,  because  of  the  potential  for  imple¬ 
menting  efficient  parallel  algorithms  by  concurrent  processes  designed  to  co¬ 
operate  in  solving  a  common  task.  In  this  paper  we  focus  on  one  of  the 
most  widely  known  paradigms  of  parallel  programming,  the  so-called  shared- 
variable  model,  in  which  parallel  commands  interact  by  reading  and  writing 
to  shared  memory.  The  use  of  procedures  in  such  a  language  permits  encap¬ 
sulation  of  common  parallel  programming  idioms.  Local  variable  declarations 
provide  a  way  to  delimit  the  scope  of  interference:  a  local  variable  of  one  pro¬ 
cess  is  not  shared  by  any  other  process,  and  is  therefore  unaffected  by  the 
actions  of  other  process  running  concurrently. 

For  instance,  a  procedure  implementing  mutual  exclusion  [And91]  with  a 
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binary  semaphore  could  be  written  (in  sugared  form)  as: 

procedure  mutex(rii7  ci,  n2,  c2); 

boolean  s; 

begin 

s:=true; 
while  true  do 

(rii;  await  s  then  s:=false; 
ci ;  s:=true) 

||  while  true  do 

(n2;  await  s  then  s:=false; 
c2;  s:=true) 

end 

Here  c\  and  c2  are  parameters  representing  “critical”  regions  of  code,  and 
rii  and  n2  represent  non-critical  code.  The  correctness  of  this  procedure,  i.e. 
the  fact  that  the  two  critical  regions  are  never  concurrently  active,  relies  on 
the  inaccessibility  of  s  to  the  procedure’s  arguments. 

For  another  example,  suppose  two  “worker”  processes  must  each  repeat¬ 
edly  execute  a  piece  of  code,  can  and  should  run  concurrently,  but  need  to 
stay  in  phase  with  each  other,  so  that  at  each  stage  the  two  workers  are 
executing  the  same  iteration.  If  the  parameters  c0  and  c\  represent  the  two 
workers’  code,  one  way  to  achieve  this  execution  pattern  is  represented  by 
the  following  procedure: 

procedure  workers(c0,  ci);  while  true  do  (c0||ci) 

However,  this  program  structure  incurs  the  repeated  overhead  caused  by  cre¬ 
ation  and  deletion  of  a  pair  of  threads  each  time  the  loop  body  is  executed. 
Although  this  defect  has  no  effect  on  the  overall  correctness  of  the  proce¬ 
dure,  since  it  is  obvious  that  the  intended  pattern  of  execution  is  achieved, 
for  pragmatic  reasons  it  might  be  preferable  to  design  a  program  that  cre¬ 
ates  two  perpetually  active  threads,  constrained  to  ensure  that  the  threads 
stay  in  phase  with  each  other.  One  way  to  achieve  this,  known  as  barrier 
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synchronization  [And91],  uses  a  pair  of  local  boolean  variables: 

procedure  barrier(c0,  ci); 
boolean  flag0,  flagi; 

procedure  synch(x,  y);  (x:=true;  await  y;  y:=false); 
begin 

flag0:= false;  //ayi:=false; 
while  true  do  (c0; 

synch(flag0,  flagi)) 

||  while  true  do  (ci ; 

synch( flagi,  flag0 )) 

end 

The  correctness  of  this  implementation  relies  on  locality  of  the  flag  variables. 
The  two  procedures  workers  and  barrier  are  equivalent,  in  that  for  all  possible 
arguments  c0  and  c\  the  two  procedure  calls  exhibit  identical  behaviors. 

It  is  well  known  that  parallel  programs  can  be  hard  to  reason  about,  be¬ 
cause  of  the  potential  for  undesirable  interference  between  commands  running 
in  parallel.  One  might  expect  this  problem  to  be  exacerbated  by  the  inclusion 
of  procedures.  Indeed,  semantic  accounts  of  shared-variable  languages  in  the 
literature  typically  do  not  encompass  procedures;  the  (usually  implicit)  at¬ 
titude  seems  to  be  that  concurrency  is  already  difficult  enough  to  handle  by 
itself.  Similarly,  existing  models  for  sequential  Algol  [Rey81,  01e82,  OT95] 
do  not  handle  parallelism,  presumably  because  of  the  difficulty  even  in  the 
sequential  setting  of  modelling  “local”  state  accurately  [HMT83].  Never¬ 
theless  it  seems  intuitive  that  procedures  and  parallelism  are  “orthogonal” 
concepts,  so  that  one  ought  to  be  able  to  design  a  programming  language 
incorporating  both  seamlessly.  This  is  the  rationale  behind  our  design  of  an 
idealized  parallel  Algol,  blending  a  shared- variable  parallel  language  with  the 
A-calculus  while  remaining  faithful  to  Reynolds’  ideals. 

Even  for  sequential  Algol  the  combination  of  procedures  and  local  vari¬ 
ables  causes  well  known  semantic  problems  for  traditional,  location-based 
store  models.  Such  models  typically  fail  to  validate  certain  intuitive  laws  of 
program  equivalence  whose  validity  depends  on  “locality”  properties  of  local 
variables  [HMT83],  such  as  the  following  law: 

new[int]  x  in  P  =  P, 
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when  P  is  a  free  variable  of  type  comm  (representing  a  command).  In¬ 
tuitively,  introducing  a  local  variable  x  and  never  using  it  should  have  no 
effect,  so  that  whatever  the  interpretation  of  P  the  two  phrases  should  be 
indistinguishable;  however,  in  a  simple  location-based  semantics  the  presence 
of  command  meanings  whose  effect  depends  on  the  contents  of  specific  lo¬ 
cations  will  cause  this  equivalence  to  break.  A  more  satisfactory  semantics 
was  proposed  by  Reynolds  and  Oles  [Rey81,  01e82],  based  on  a  category  of 
“possible  worlds”:  a  world  W  represents  a  set  of  “allowed  states”;  morphisms 
between  worlds  represent  “expansions”  corresponding  to  the  declaration  of 
new  variables;  types  denote  functors  from  the  category  of  worlds  to  a  category 
of  domains  and  continuous  functions;  and  well-typed  phrases  denote  natural 
transformations  between  such  functors.  A  command  meaning  at  world  W  is  a 
partial  function  from  W  to  W .  Naturality  guarantees  that  a  phrase  behaves 
“uniformly”  with  respect  to  expansions  between  worlds,  thereby  enforcing 
locality  constraints  and  validating  laws  such  as  the  one  discussed  above. 

The  parallel  setting  requires  a  more  sophisticated  semantic  structure  be¬ 
cause  of  the  potential  for  interference  between  parallel  commands.  We  adapt 
the  “transition  traces”  semantics  of  [Bro93],  modelling  a  command  at  world 
W  as  a  set  of  finite  and  infinite  traces,  a  subset  of  (W  X  IR)00.  The  trace  se¬ 
mantics  given  in  [Bro93]  covered  a  simple  shared-variable  parallel  language, 
without  procedures,  with  while-loops  as  the  only  means  of  recursion,  as¬ 
suming  a  single  global  set  of  states.  This  semantics  was  carefully  designed 
to  incorporate  the  assumption  of  fairness  [Par79].  It  is  far  from  obvious 
that  this  kind  of  trace  semantics  can  be  generalized  in  a  manner  consistent 
with  Reynolds’  idealization,  to  include  a  general  procedure  mechanism,  and 
a  conditional  construct  and  recursion  at  all  types.  Similarly,  it  is  not  evi¬ 
dent  that  the  possible  worlds  approach  can  be  made  to  work  for  a  parallel 
language.  We  show  here  that  these  approaches  can  indeed  be  combined. 
The  resulting  semantics  brings  out  the  stack  discipline  clearly  yet  models 
parallelism  at  an  appropriate  level  of  abstraction  to  permit  compositional 
reasoning  about  safety  and  liveness  properties  of  programs.  Our  categorical 
recasting  of  [Bro93]  permits  an  improved  treatment  of  local  variables.  The 
semantics  for  the  A-calculus  fragment  of  the  language  is  completely  standard, 
based  as  usual  on  the  cartesian  closed  structure  of  the  underlying  category. 
Thus  our  semantics  supports  the  claim  that  procedures  and  parallelism  are 
“orthogonal” . 

Since  we  are  interested  in  proving  liveness  and  safety  properties  of  parallel 
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programs  it  is  vital  to  deal  accurately  with  infinite  traces.  In  particular,  in 
our  setting  it  is  inappropriate  to  treat  divergence  as  “catastrophic”  or  “unde¬ 
fined”,  and  it  is  wrong  to  equate  all  forms  of  divergence,  as  is  typically  done 
in  a  conventional  least-fixed-point  semantics  (where  a  single  distinguished 
semantic  value  _L  represents  divergence).  Instead,  our  treatment  of  recursion 
uses  Tarski’s  theorem  on  greatest  fixed  points  of  monotone  functions  on  com¬ 
plete  lattices [Tar55].  Roughly  speaking,  a  least-fixed-point  semantics  for  our 
language  would  capture  only  the  finite  behaviors  of  programs,  thus  ignoring 
the  potential  for  divergence;  a  greatest-fixed-point  semantics  captures  both 
finite  and  infinite  aspects  of  a  program’s  behavior. 

As  we  have  remarked,  our  possible  worlds  semantics  of  Parallel  Algol 
validates  familiar  laws  of  functional  programming,  as  well  as  familiar  laws 
of  shared-variable  programming,  and  equivalences  based  on  locality  proper¬ 
ties.  When  applied  to  the  examples  listed  earlier  it  produces  the  intended 
results;  for  instance,  the  workers  and  barrier  procedures  are  indeed  seman¬ 
tically  equivalent.  However,  just  as  for  the  Reynolds-Oles  possible  worlds 
model  of  sequential  Idealized  Algol,  certain  laws  of  program  equivalence  in¬ 
volving  the  use  of  local  variables  and  procedures  to  represent  abstract  data 
objects  fail  to  hold,  because  of  the  presence  in  the  model  of  certain  insuf¬ 
ficiently  well  behaved  elements.  These  equivalences  typically  embody  the 
principle  of  “representational  independence”  familiar  from  structured  pro¬ 
gramming  methodology:  a  program  using  an  “object”  (perhaps  a  member 
of  some  abstract  data  type)  should  behave  the  same  way  regardless  of  the 
object’s  implementation,  provided  its  abstract  properties  are  the  same.  Such 
equivalences  are  usually  established  by  relational  reasoning,  typically  involv¬ 
ing  some  kind  of  invariant  property  that  holds  between  the  states  of  two 
programs  that  use  alternative  implementations.  These  problems  led  O’Hearn 
and  Tennent  to  propose  a  “relationally  parametric”  semantics  for  sequential 
Idealized  Algol  [OT95],  building  on  foundations  laid  in  [Rey83].  In  this  se¬ 
mantics  a  type  denotes  a  parametric  functor  from  worlds  to  domains,  and 
phrases  denote  parametric  natural  transformations  between  such  functors. 
The  parametricity  constraints  enforce  the  kind  of  relation-preserving  proper¬ 
ties  needed  to  establish  equivalences  involving  representation  independence. 
We  show  how  to  construct  a  relationally  parametric  semantics  for  Parallel  Al¬ 
gol,  generalizing  the  O’Hearn-Tennent  model  to  the  parallel  setting.  We  thus 
obtain  a  semantics  that  validates  reasoning  methods  based  on  representation 
independence,  as  adapted  to  deal  with  shared-variable  programs. 
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2  Syntax 

2.1  Typ  es  and  type  environments 

The  type  structure  of  our  language  is  conventional  [Rey81]:  datatypes  rep¬ 
resenting  the  set  of  integers  and  the  set  of  booleans;  phrase  types  built  from 
expressions,  variables,  and  commands,  using  product  and  arrow.  We  use  r 
as  a  meta-variable  ranging  over  the  set  of  datatypes,  and  9  to  range  over  the 
set  of  phrase  types,  as  specified  by  the  following  abstract  grammar: 

0  ::=  exp[r]  |  var[r]  |  comm  |  (9  — >  O')  \  6x6' 

t  ::=  int  |  bool 

Let  l  range  over  the  set  of  identifiers.  A  type  environment  tt  is  a  partial 
function  from  identifiers  to  types.  We  write  dom(7r)  for  the  domain  of  tt ,  i.e. 
the  set  of  identifiers  for  which  7r  specifies  a  type.  Let  (tt  \  t  :  9)  be  the  type 
environment  that  agrees  with  7r  except  that  it  maps  t  to  9. 

2.2  Phrases  and  type  judgements 

A  type  judgement  of  form  7r  V  P  :  6  is  interpreted  as  saying  that  phrase  P  has 
type  6  in  type  environment  tt.  A  judgement  is  valid  iff  it  can  be  proven  from 
the  axioms  and  rules  in  Figure  1.  We  omit  the  rules  dealing  with  phrases 
of  type  var[r]  and  exp[r],  except  to  remark  that  the  language  contains  the 
usual  arithmetic  and  boolean  operations.  We  let  FV(P)  denote  the  set  of 
identifiers  occurring  free  in  P . 

In  addition,  for  convenience,  we  add  the  following  rule;  this  allows  us 
to  elide  the  otherwise  necessary  projection  for  extracting  the  “R-value”  of  a 
variable: 

7r  h  P  :  var[r] 

7r  h  P  :  exp[r] 

The  syntax  used  here  for  phrases  is  essentially  a  simply  typed  A-calculus 
with  product  types,  combined  with  a  shared- variable  parallel  language  over 
ground  type  comm.  Note  that,  in  the  spirit  of  Algol,  the  conditional  con¬ 
struction  if  B  then  Pi  else  P2  and  recursion  rec  t.P  are  available  at  all 
phrase  types  9.  We  restrict  the  use  of  a  “conditional  atomic  action”  await  B  then  P 
to  cases  where  P  is  “atomic”,  i.e.  a  finite  sequence  of  assignments  (or  skip), 
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7 r  b  skip  :  comm 


7T  b  X  :  var[r]  n  \~  E  :  exp[r] 


7T  b  X:=P 

:  comm 

7T  b  Pi 

:  comm 

7T  b  P2  :  comm 

7rbPi;P2 

:  comm 

7T  b  Pi 

:  comm 

7T  b  P2  :  comm 

^bPi  P2 

:  comm 

7T  b  P  :  expfbool]  7r  b  Pi  :  0  n  b  P2  :  6 
it  b  if  P  then  Pi  else  P2  :  9 


7T  b  B  :  expfbool]  7r  b  P  :  comm 
7T  b  await  B  then  P  :  comm 


(P  atomic) 


7T  b  B  :  expfbool]  7r  b  P  :  comm 
7T  b  while  B  do  P  :  comm 


7T,  t  :  var[r]  b  P  :  comm 
7T  b  new[r]  t  in  P  :  comm 

7T  b  i  :  9  (when  tt(i)  =  9) 


tt^  P  :90x9i 
7T  b  fst  P  :  0O 

7T  b  P0  :  0o  7T  b  Pi  :  0i 
7T  b  (P0,  Pi)  :  0O  X  0i 
7T  b  P  :  00  x  01 
7T  b  snd  P  :  0i 

7T,  t  :  0  b  P  :  0 
7T  b  rec  l.P  :  0 


7T,  i  :  0  b  P  :  0' 

7T  b  Ai  :  0.P  :  (0  — >  0') 

7T  b  P  :  0  — >  0'  7rbQ:0 
7T  b  P(Q)  :  9' 


Figure  1:  Type  judgements 


so  that  it  is  indeed  feasible  to  implement  this  construct  as  an  indivisible  ac¬ 
tion.  The  special  case  await  B  then  skip  may  be  abbreviated  by  await  B. 

In  displaying  examples  of  programs  it  is  often  convenient  to  use  a  sugared 
form  of  syntax.  For  instance,  we  may  write 

integer  z\ 
begin  P  end 

for  newfint]  z  in  P .  Similarly  we  may  write 

procedure  f(x);  P0; 
begin  P  end 

instead  of  (A/.P)(rec  f.Xx.P0).  With  this  convention  it  is  straightforward  to 
de-sugar  the  examples  discussed  earlier  into  the  formal  syntax  described  here. 
When  /  does  not  occur  free  in  P0  the  de-sugaring  can  go  a  little  further:  when 
the  procedure  is  not  recursive  this  notation  corresponds  to  (Xf.P)(Xx.P0). 


3  Possible  worlds 

The  category  W  of  possible  worlds  [01e82]  has  as  objects  countable  sets, 
called  “worlds”  or  “store  shapes”,  representing  sets  of  allowed  states.  We 
let  Vint  =  — 1,0,1,...}  and  Vb00i  =  {tt,  ff }.  Intuitively,  the  world  VT 

consists  of  states  representing  a  single  storage  cell  capable  of  holding  a  value 
of  data  type  r.  We  will  use  V,  W,X,  and  decorated  versions  such  as  W' ,  as 
meta- variables  ranging  over  Ob(W). 

The  morphisms  from  W  to  W'  are  pairs  h  =  (/,  Q)  where  /  is  a  func¬ 
tion  from  W'  to  W  and  Q  is  an  equivalence  relation  on  W' ,  such  that  the 
restriction  of  /  to  each  equivalence  class  of  Q  is  a  bijection  with  W: 

•  Mx',y'.(x'Qy'  k  fx'  =  fy'  =>  x'  =  y')\ 

»  Vr  e  WNy'  e  W' 3x' .(x'Qy1  k  fx'  =  x). 

Intuitively,  when  (/,  Q)  :  W  — >■  W\  we  think  of  W'  as  a  set  of  “large”  states 
extending  the  “small”  states  of  W  with  extra  storage  structure;  /  extracts  the 
small  state  embedded  inside  a  large  state,  and  Q  identifies  two  large  states 
when  they  have  the  same  extra  structure.  We  will  often  find  it  convenient  to 
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blur  the  distinction  between  a  relation  Q  on  a  set  W'  and  its  graph,  i.e.  the 
set  {(x,y)  |  xQy }  C  W'  x  W' . 

The  identity  morphism  on  W  is  the  pair  (idw,  W  X  W),  where  id w  is  the 
identity  function  on  the  set  W .  For  each  pair  of  objects  W  and  V  there  is 
an  “expansion”  morphism  —  xV:W—^WxV,  given  by 

—  x  V  =  (fst  :  W  x  V  — >  W,  Q),  where 
Q  =  {((^0,  v),  (w1}  v))  I  w0}  Wi  e  W  k  V  eV}. 

The  composition  of  morphisms  h  =  (/,  Q)  :  W  — >■  W'  and  h'  =  ((/,  R )  :  W'  — > 
W" i  denoted  h]  h'  :  W  — >■  W" ,  is  the  pair  given  by: 

{f  0  9 Aiz o,2i)  e  R  I  (gz0,gz!)  e  Q}). 

As  Oles  has  shown[01e82],  every  morphism  of  worlds  is  an  expansion  com¬ 
posed  with  an  isomorphism.  Of  particular  relevance  are  structural  isomor¬ 
phisms  reflecting  the  commutativity  and  associativity  of  cartesian  product. 
For  all  worlds  W,  X,  Y  let 

swapw,x  :  W  x  X  — >  X  x  W 

assocw,x,Y  :  W  x  (X  xf)-)  (W  x  X)  x  Y 

be  the  obvious  natural  isomorphisms.  When  equipped  with  the  appropriate 
universal  equivalence  relation,  so  that  there  is  a  single  equivalence  class,  these 
functions  become  isomorphisms  in  the  category  of  worlds.  For  instance, 

(swapW'X,  {W  x  X)  x  (W  x  X)) 

is  an  isomorphism  from  X  X  W  to  W  X  X .  Thus  the  nature  of  morphisms 
in  this  category  captures  the  essence  of  local  variable  declarations  in  a  clean 
and  simple  manner,  and  facilitates  a  “location-free”  treatment  of  storage. 


4  Semantics  of  types 

Each  type  6  will  be  interpreted  as  a  functor  [0]  from  W  to  the  category  D 
of  domains  and  continuous  functions.  As  shown  by  Oles  [01e82],  the  cat¬ 
egory  whose  objects  consist  of  such  functors,  with  natural  transformations 
as  morphisms,  is  cartesian  closed.  We  will  use  the  categorical  product  and 
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exponentiation  in  this  ccc  to  interpret  product  types  60  X  9\  and  arrow  types 
$o  — t  $i,  respectively.  The  main  differences  between  our  parallel  interpreta¬ 
tion  and  the  model  developed  by  Oles  and  Reynolds  concern  the  functorial 
treatment  of  the  ground  types  comm  and  exp[r]. 

4.1  Commands 

We  interpret  the  type  comm  using  “transition  traces”  [Bro93],  but  instead 
of  assuming  a  single  global  state  set  we  parameterize  our  definitions  in  terms 
of  worlds.  For  each  world  W,  [commjff  will  consist  of  sets  of  traces  over 
W.  A  finite  trace  (w0}  w'0)(wi,  w[)  .  .  .  (wn}  w'n)  of  a  command  represents  a 
terminating  computation  from  state  w0  to  w'n,  during  which  the  state  was 
changed  externally  n  times  (by  interference  from  another  command  running 
in  parallel),  the  ith  interruption  changing  the  state  from  w'i_1  to  uy.  An 
infinite  trace  ((wn,w'n))^L0  of  a  command  represents  an  infinite  execution, 
again  assuming  repeated  interference. 

When  A  is  a  set,  we  write  A*  for  the  set  of  finite  sequences  over  A,  A+ 
for  the  set  of  non-empty  finite  sequences  over  A,  Aw  for  the  set  of  (count¬ 
ably)  infinite  sequences  over  A,  and  A00  =  A+  U  A  A  Clearly,  each  of  these 
operations  extends  to  a  functor  (on  Set),  the  morphism  part  being  the  ap¬ 
propriate  “map”  operation,  which  applies  a  function  to  each  element  of  a 
sequence.  Concatenation  is  extended  to  infinite  traces  in  the  usual  way: 
a/3  =  a  when  a  is  infinite.  The  empty  sequence,  denoted  e,  is  a  unit  for 
concatenation.  We  extend  concatenation,  and  finite  and  infinite  iteration,  to 
trace  sets  and  to  relations  over  traces,  in  the  obvious  componentwise  manner; 
for  instance,  when  R,  S  C  A°°  X  A°°,  we  let 


R  -  S  =  {{a0fi o,  «i/fi)  |  («o,  a\)eRk  (J30,  (3X)  e  S}. 


Using  this  notation,  then,  a  command  denotes  a  subset  of  (W  X  1U)00. 
However,  as  in  [Bro93],  we  let  a  step  (w^w1)  in  a  trace  represent  a  finite 
sequence  of  atomic  actions,  rather  than  a  single  atomic  action.  The  trace  set 
of  a  command  is  therefore  closed  under  two  natural  operations:  stuttering 
and  mumbling 1 .  Intuitively,  stuttering  involves  the  insertion  of  “idling”  steps 

^Ahe  use  of  closed  sets  of  traces  guarantees  full  abstraction  for  the  simple  shared- 
variable  language  [Bro93].  The  closure  conditions  correspond,  respectively,  to  reflexivity 
and  transitivity  of  the  — >*  relation  in  a  conventional  operational  semantics. 
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of  the  form  (ip,  w)  into  a  trace,  while  mumbling  involves  the  collapsing  of 
adjacent  steps  of  the  form  (w,w')(w',w")  into  a  single  step  (w}w").  We 
formalize  this  as  follows. 

We  define  relations  stut^muniq  C  (A  X  A)+  X  (A  X  A)+  by: 

stutq  =  {(a/3,  cc(a,  a) (3)  \  a  e  A  &  a (3  e  (A  x  A)+} 

mum^  =  {(a(a,  a')(a',  a") (3,  a(a,  a") (3)  \  a (3  e  (A  x  A)*  &  a,  a',  a"  e  A}. 

Let  idleq  =  {(a,  a)  a  e  (Ax  A)00}  denote  the  identity  relation  on  (A  X  A)°°. 
We  then  extend  these  relations  to  arbitrary  traces,  defining  the  relations 
stutjf  ,mum(4  C(Ax  A)°°  x  (A  x  A)°°  by  2: 

stutjf  =  stutjj  •  idleq  U  stut^ 
mumjj  =  mum^  •  idleq  U  mum^. 

We  say  that  a  set  T  of  traces  over  W  is  closed  if 

a  e  T  &  (a,  (3)  e  stutjjj  =>  (3  e  T; 
a  e  T  &  (a,  (3 )  e  mumjjj  =b  (3  e  T. 

We  write  for  the  closure  of  T,  that  is,  the  smallest  closed  set  of  traces 
containing  T  as  a  subset. 

Let  jpt  ((W  X  W )°°)  denote  the  set  of  closed  sets  of  traces  over  W,  ordered 
by  set  inclusion.  This  forms  a  domain,  in  fact  a  complete  lattice,  with  least 
element  {},  greatest  element  the  set  of  all  traces,  and  lubs  given  by  unions. 
For  a  morphism  h  =  (/,  Q)  :  W  — >■  W' ,  [commjh  should  convert  a  set  c  of 
traces  over  W  to  the  set  of  traces  over  W'  that  “project  back”  via  /  to  a 
trace  in  c  and  respect  the  equivalence  relation  Q  in  each  step.  We  therefore 
define 

[commjlh  =  jpt ((W  x  LF)00), 

[comm](/,  Q)c  =  { a '  |  map(/  x  f  )a '  e  c  &  map (Q)a'}, 

where  map (Q)a1  indicates  that  each  step  in  a1  respects  Q.  It  is  straightfor¬ 
ward  to  check  that  this  is  indeed  a  functor. 

2  Equivalently,  these  relations  can  be  characterized  as  the  greatest  fixed  points  of  the 
monotone  functionals 

F(R)  =  idle^  U  stut^  •  R 
G(R)  =  idle^  U  mum^  •  R, 

which  operate  on  the  complete  lattice  of  relations  over  traces,  ordered  by  set  inclusion. 
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Note  that  if  c  is  a  closed  set  of  traces  so  is  [commjk  as  defined  above. 
Moreover,  the  definition  of  [commjh  is  also  applicable  to  a  general  trace 
set,  and  it  is  easy  to  see  that  for  any  set  c  of  traces  [commjh(ct)  = 
(|comm]hc)t,  so  that  the  action  of  [comm]  on  morphisms  interacts  smoothly 
with  closure.  This  observation  is  sometimes  helpful  in  calculations. 

The  case  when  the  morphism  h  is  an  expansion  from  W  to  W  X  V  is 
worth  particular  attention;  when  c  is  a  trace  set  over  W,  [comm](—  X  V)c 
is  the  trace  set  over  W  X  V  consisting  of  traces  that  look  like  a  trace  of  c 
augmented  with  stuttering  in  the  V-component: 

[comm](—  x  V)c  =  {((u;0,  n0),  {w'0,  n0)) . . .  ((wn,  vn),  (w'n,  vn))  \ 

(w0,  w'0) . . .  (wn,  w'n)  e  c  &  \/i  <  n.  Vi  e  V} 

U  {((«!0,  wo),  (w'0,  v0 ))  .  .  .  ((wn,  vn),  (w'n,  vn))  ...  | 

(w0,  w q)  . . .  (wn,  w'n) . . .  e  c  &  \/i  >  0.  Vi  e  V} 

This  is  as  intended:  here  c  represents  the  meaning  of  a  command  that  uses 
part  of  the  store  represented  by  W,  so  when  we  expand  the  shape  of  the  store 
the  extra  structure  represented  by  the  V-component  should  not  be  affected 
by  the  command’s  behavior,  nor  should  it  affect  the  command’s  behavior. 

4.2  Expressions 

Our  treatment  of  expressions  is  similar,  using  a  slightly  simpler  form  of  trace 
to  reflect  the  assumption  that  expression  evaluation  does  not  cause  side- 
effects,  but  with  enough  structure  to  permit  a  fine-grained  semantics  in  which 
expression  evaluation  need  not  be  atomic.  We  also  allow  for  possible  non¬ 
termination,  and  for  the  possibility  that  expression  evaluation  may  be  non- 
deterministic. 

A  finite  trace  of  the  form  (w0wi  .  .  .  wn}v)  represents  an  evaluation  of 
an  expression  during  which  the  state  is  changed  as  indicated,  terminating 
with  the  result  v.  It  suffices  to  allow  such  cases  only  when  n  is  finite,  since 
we  assume  fair  interaction  between  an  expression  and  its  environment:  it  is 
impossible  for  the  environment  to  interrupt  infinitely  often  in  a  finite  amount 
of  time.  On  the  other  hand,  if  an  expression  evaluation  fails  to  terminate  the 
state  may  be  changed  arbitrarily  many  times  and  no  result  value  is  obtained; 
we  represent  such  a  case  as  an  infinite  trace  in  ITW  Note  in  particular 
that  the  trace  uA  represents  divergence  when  evaluated  in  state  w  without 
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interference.  Thus  we  will  model  the  meaning  of  an  expression  of  type  r,  in 
world  W,  as  a  subset  e  of  W+  X  VT  U  Ww;  this  subset  will  be  closed  under 
the  obvious  analogues  of  stuttering  and  mumbling  3.  Let  jpt  (W+  x  VT  U  LW) 
denote  the  collection  of  closed  sets  of  expression  traces,  ordered  by  inclusion. 
Accordingly,  we  define 

[exp[r]]W  =  pt (W+  x  VT  U  Ww) 

[exp[r]](/,  Q)e  =  {(p' ,  v)  |  (map fp',  v)  e  e}  U  {p'  e  W ,<jJ  |  map fp'  e  e}. 
Again,  functoriality  is  easy  to  check. 

4.3  Product  types 

We  interpret  product  types  in  the  standard  way,  as  products  of  the  corre¬ 
sponding  functors: 

[0  X  9'\W  =  (9}W  x  ld'\W 
le  X  9'\h  =  lejh  x  19'jh. 


4.4  Arrow  types 


We  interpret  arrow  types  using  functor  exponentiation,  as  in  [OT95].  The 
domain  [0  — >■  9'\W  consists  of  the  families  p(-)  of  functions,  indexed  by 
morphisms  from  W,  such  that  whenever  h  :  W  — >■  W\  p(h )  :  [^JfW  — > 
and  whenever  h'  :  W'  — >  W" ,  p(h)  ;  WW  =  \9\h'\p{h  ;  h').  This 
uniformity  condition  amounts  to  commutativity  of  the  following  diagram, 
for  h  :  W  W'  and  b!  :  W'  W"\ 

p(h) 


WW' 

WW 

WW" 


■  ww 
ww 

WW' 


p(h  ;  hr) 

The  domain  [0  — >■  9'\W  is  ordered  by 

p(-)  C  q(~)  -<=>-  VW'.Vh  :  W  — >  W'.p(h )  C  q(h), 


3For  instance,  for  all  p,cr  e  W*  and  all  v  e  VT,  w  e  W,  (per,  v)  e  e  =>  ( pwer ,  v)  e  e,  and 
( pwwcr ,  v)  e  e  =>  ( pwer ,  v)  e  e.  Similarly  for  infinite  expression  traces. 
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the  obvious  parametrized  version  of  the  pointwise  ordering.  It  is  easy  to 
check  that  with  this  ordering  [0  — >■  9'\W  is  indeed  a  domain,  assuming  that, 
for  each  IV,  [0'JIV  is  a  domain. 

The  morphism  part  of  [0  — >■  9'\  is  defined  by: 

[0  ->■  9'}(h  :  W  ->■  W')p  =  \ti  :  IV  -P  W".p{h  ;  ti). 

This  kind  of  A-abstraction  for  denoting  indexed  families  (here,  elements  of 
[0  — >■  ^JIV)  is  a  convenient  notational  abuse. 

4.5  Variables 

For  variables  we  give  an  “object-oriented”  semantics,  in  the  style  of  Reynolds 
and  Oles.  A  variable  of  type  r  is  a  pair  consisting  of  an  “acceptor”  (which 
accepts  a  value  of  type  r  and  returns  a  command)  and  an  expression  value. 
This  is  modelled  by: 

[varfrjJIF  =  (VT  — >  [commjlh)  x  [expfrjJIF 
[var[r]]/j  =  A(a,  e).(Au.[comm]/j(au),  |exp[r]]he). 

This  formulation  is  exactly  as  in  [01e82],  although  the  underlying  interpre¬ 
tations  of  comm  and  exp[r]  are  different. 


5  Semantics  of  phrases 


A  type  environment  7 r  determines  a  functor  [[tt]  as  an  indexed  product.  A 
member  u  of  [[tt] TV  is  an  environment  mapping  identifiers  to  values  of  the 
appropriate  type:  if  tt(i)  =  9  then  ut  e  [0]IV 

When  7r  V  P  :  9  is  a  valid  judgement,  P  denotes  a  natural  transforma¬ 
tion  [P]  from  [[tt]  to  [0],  That  is,  for  all  environments  u  e  [[tt] TV,  whenever 
h  :  W  — >  IV,  [flJ/iQPjWTt)  =  [P]IV([7r]/m).  This  is  expressed  by  commu¬ 
tativity  of  the  following  diagram  for  all  h  :  W  — >  IV: 
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We  provide  a  denotational  description  of  the  semantics,  beginning  with  the 
definitions  for  the  simple  shared-variable  language  constructs,  adapting  the 
definitions  of  [Bro93]  to  the  functor  category  setting.  In  the  following  se¬ 
mantic  clauses,  assume  that  tt  b  P  :  6  and  u  ranges  over  [[tt] TW.  In  each 
case  naturality  is  easy  to  verify,  assuming  naturality  for  the  meanings  of 
immediate  subphrases. 

5.1  Expressions 

We  omit  the  semantic  clauses  for  expressions,  except  for  two  representative 
cases  to  illustrate  the  use  of  expression  traces.  The  expression  1  always 
evaluates  to  the  corresponding  integer  value,  even  if  the  state  changes  during 
evaluation: 


[1] WTt  =  {(rc0 . .  .wn,  1)  |  n  >  0  k  Mi.Wi  e  W} 

The  following  clause  specifies  that  addition  is  sequential  and  evaluates  its 
arguments  from  left  to  right: 

{E1  +  E2jWu  = 

{(PiP2,  vi  +  v2)  |  (pi,  ci)  e  pfiJIIW  k  (p2,  v2)  e  [.Eykkuj-t 
U  {pip2  |  (pi,  fi)  e  lEijWu  k  p2  e  {E2\Wu  n  Ww} t 
U  {p  e  Ww  |  p  e  [£,i]ITr'u}t 


Other  interpretations  are  also  possible,  including  a  parallel  form  of  addition. 

Let  Aw  :  W  — >  W  xW  denote  the  diagonal  map:  A w{w)  =  (re,  w).  This 
may  be  used  to  coerce  expression  traces  into  command-like  traces  in  cases 
(such  as  assignment,  or  conditional)  where  a  command  has  a  subphrase  of 
expression  type. 

5.2  skip 

skip  has  only  finite  traces  consisting  of  stuttering  steps: 

[skipjLLu  =  {(re,  re)  |  w  e  W}^ 

=  {(nyi,  w0)(w  1,  w  1) . . .  (wn,  wn)  |  n  >  0  k  ki.Wi  e  W}. 
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To  show  naturality  of  this  definition,  consider  a  morphism  (/,  Q)  :  W  — >  W' . 

We  have 

[comm](/,  <5)([skip]Wru)  =  [comm](/,  Q){(w0,  w0) . . .  (wn,  wn)  \  n  >  0  k  \/i.wt  eW} 

=  {«>,  <>)•••  «,  w'n)  I  n  >  0  k  Vi.w'i  e  W'} 

=  [skip  }W'(lir}(f,Q)u) 

because  /  puts  each  Q-class  in  bijection  with  W,  so  that  for  each  uy  there  is 
a  w\  such  that  f{w\)  =  uy,  and  such  a  state  w\  is  the  unique  member  of  its 
Q-class  with  this  property. 

5.3  Assignment 

We  specify  a  non-atomic  interpretation  for  assignment,  in  which  the  source 
expression  is  evaluated  first: 

lX-=E\Wu  = 

{(mapAw/?)/5  |  (p,v)  e  [.EjWTt  k  (3  e  fst([A]ITr'u)'u}t 
U  {mapAw/?  |  p  e  [.EjWTt  fl  . 

Note  the  use  of  map  Aw  to  convert  expression  traces  into  command-like 
traces. 

For  instance,  the  assignment  x:=x  +  1,  interpreted  at  world  W  X  V{nt  in 
an  environment  u  in  which  x  corresponds  to  the  Vint  component  of  state,  has 
the  following  traces: 

{x:=x+l  }(W  xVmt)u  =  {((w0,v0),  (wo,v0))((wi,vi),  (uq,  u0+l))  |  w0,wi  eW  kv0,v  p  Vmt}\ 

showing  the  potential  for  interruption  after  evaluation  of  the  source  expres¬ 
sion  x  +  1  but  before  the  update  to  the  target  variable.  Closure,  in  this  case, 
implies  that  the  command  also  has  traces  of  the  form  ((re,  v),  (w,  v  +  1)),  rep¬ 
resenting  execution  without  interruption.  In  addition,  closure  permits  the 
insertion  of  finitely  many  stuttering  steps. 

5.4  Sequential  composition 

Sequential  composition  corresponds  to  concatenation  of  traces: 

[Pi;  pykh'u  =  {aqay  |  oil  e  [PjWTt  k  a2  e  [pykk'u}'^ 
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It  is  convenient  to  introduce  a  semantic  sequencing  construct:  for  arbitrary 
trace  sets  Tf  and  T2  we  define  Ti;T2  =  (T,  •  T2) t.  Thus  lP1-P2}Wu  = 
{PrlWu-  lP2\Wu. 

Naturality  of  this  dehnition  follows  because  for  all  trace  sets  Tf  and 
T2  over  W  and  all  morphisms  h  :  IT"  — >  W'  we  have  [comm]h(Ti;  T2)  = 
([commJhTi);  (|comm]hT2). 

5.5  Parallel  composition 

Parallel  composition  of  commands  corresponds  to  fair  interleaving  of  traces. 

For  each  set  A  we  define  the  following  sets: 

botiiA  =  {(a,  /3,  a/3),  (a,  /3,  (3a)  |  a,  (3  e  A+ } 
ontA  =  {(a,  e,  a),  (e,  a,  a)  |  a  e  A00} 
fairmergeA  =  both*A  ■  ontA  U  both A, 

where  e  represents  the  empty  sequence  and  we  use  the  obvious  extension  of 
the  concatenation  operation  on  traces  to  sets  of  triples  of  traces: 

to  ■  h  =  {(a0ai,/30/3i,7o7i)  I  (a0,/30,7o)  e  t0  k  (ai,/?i,7i)  e  tx}. 

Similarly  we  use  the  obvious  extensions  of  the  Kleene  iteration  operators 
on  traces.  Thus,  for  instance,  both*A  is  the  set  of  all  triples  obtained  by 
concatenating  together  a  finite  sequence  of  triples  from  both  a -4 

Intuitively,  fairmergeWxW  is  the  set  of  triples  (a,/3,7)  of  traces  over  W 
such  that  7  is  a  fair  merge  of  a  and  (3.  Note  that  fairmerge  satisfies  the 
following  “natural”  property:  for  all  functions  /  :  A  — >  13, 

(a,  /3,  7)  e  fairmergeA  =>■  (map  fa,  map  f(3,  map/7)  e  fairmergeB. 

We  then  define 

[Pi||P2]!Fu  =  {a  |  3(ai,a2,a)  e  fairmergeWxW.  aq  e  [PijWTt  &  a2  e  [TyfFuj-t. 

Again  it  will  be  convenient  to  introduce  a  semantic  parallel  composition 
operator:  for  trace  sets  Tf  and  T2  over  W  let  Ti||T2  =  {a  \  3(aq,  a2,  a)  e 

4 Equivalently,  fatrmergeA  can  be  characterized  as  the  greatest  fixed  point  of  the  mono¬ 
tone  function  F(t)  =  bothA  -t  U  oneA  on  the  complete  lattice  p(T°°  x  x  A°°).  The  least 
hxed  point  of  this  functional  is  the  subset  of  triples  (a,  /?,  7)  from  fairmergeA  in  which  one 
or  both  of  a  and  (3  is  finite. 
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fairmergeWxW.  op  e  T\  &  a2  e  T2}^.  Naturality  of  [Pi||P2]  follows  from 
naturality  of  [Pi]  and  [P2],  since 

[comm]/i(T1||r2)  =  ([comm]/jTi)  ||  ([comm]hT2), 

for  all  trace  sets  Pi,  T2  over  W  and  all  morphisms  h  :  W  — >■  W' . 

5.6  Local  variables 

A  trace  of  new[r]  t  in  P  at  world  W  should  represent  an  execution  of  P  in 
the  expanded  world  W  xVT,  with  i  bound  to  a  fresh  variable  of  type  r;  during 
this  execution,  P  may  change  this  variable’s  value  but  no  other  command  has 
access  to  it.  Only  the  changes  to  the  fF-component  of  the  world  should  be 
reflected  in  the  overall  trace.  We  say  that  a  trace  (wn}  w'n)^L0  is  interference- 
free  iff  for  each  n,  w'n  =  wn+\.  Thus  the  traces  of  new[r]  t  in  P  in  world 
W  and  environment  u  should  have  the  form  map(fst  X  fst)cc,  where  a  is  a 
trace  of  P  in  world  W  X  VT  (and  suitably  adjusted  environment)  such  that 
map(snd  X  snd)a  is  interference-free: 

[new[r]  t  in  PjWu  =  {map(fst  x  fst)cc  | 

a  e  [P](Wr  x  TA ) ( [[7r] ( —  x  VT)u  \  t  :  (a,e))  & 
map(snd  X  snd)a  interference-free} 

where  the  “fresh  variable”  (a,  e)  e  [varfrJ^W  X  VT)  is  defined  by: 

a  =  A v':VT.{((w,  v),  (w,  v'))  \  w  e  W  &  v  e  VT }t 
e  =  {(p(w,v)p',v)  |  pp'  e  (W  x  VT)*  &  w  eW  &  v  e  VT}^ . 

5.7  Conditional 

For  conditional  phrases  we  define  by  induction  on  0,  for  t  e  [exp  [bool]  JIT" 
and  p\7p2  e  [[P]  TW,  an  element  if  t  then  pi  else  p2  of  [^JfF. 

•  For  6  =  comm,  if  t  then  pi  else  p2  is 

{(mapA^/?)^  |  (p,  tt)  e  t  &  op  e  pi}t  U 
{(mapAvi/p)o!2  |  (p,  ff )  e  t  &  a2  e  p2}t  U 
{mapA^p  |  p  e  t  fl  Ww}. 
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•  For  6  =  (0O  — >  6 1),  (if  t  then  pi  else  p2)(  — )  is  the  indexed  family 
given  by 


(if  t  then  pi  else  p2){h)  = 

Ap.if  [exp[bool]]/R  then  pi(h)p  else  p2(h)p. 

•  For  6  =  var[r]  we  define 

if  t  then  (ai,ei)  else  (a2,e2)  = 

(\v.VT\i  t  then  div  else  a2v,  if  t  then  ei  else  e2). 


We  then  define 

[if  B  then  Pi  else  P2\Wu  = 

if  [PjfFu  then  [PiJfFu  else  [P2]fFu. 

Naturality  is  easy  to  check,  by  induction  on  the  type. 

5.8  Conditional  atomic  action 

We  give  a  “busy  wait”  interpretation  to  an  await  command:  if  the  test  expres¬ 
sion  B  evaluates  to  tt  it  executes  the  body  P  without  allowing  interference; 
if  the  test  evaluates  to  ff  it  waits  and  tries  again;  if  evaluation  of  the  test 
diverges  so  does  the  await  command. 

[await  B  then  PjWu  = 

{(w,w')  e  [PjfFu  |  (w,  tt)  e  [P]fFu}t 
U  {(up  re)  |  (uyff)  e  [PjfFu}1^ 

U  {mapAi^/9  |  p  e  [PjfFu  fl  . 

Recall  that  P  is  assumed  to  be  a  finite  sequence  of  assignments  or  skip,  so 
that  [PjfFu  is  a  set  of  finite  traces.  The  singleton  traces  (w^w1)  e  [PjfFu 
thus  represent  “atomic”  executions  of  P,  during  which  no  external  state 
changes  are  permitted.  If  the  test  expression  B  always  terminates,  as  is 
common,  the  third  part  of  the  clause  becomes  vacuously  empty. 
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5.9  while-loops 

The  traces  of  while  B  do  C  are  obtained  by  iteration.  Define 


[i?]ttWTt  =  {mapA^/9  |  (p,  tt)  e  [.BjWTt} 

U{mapA wp  \  p  e  \E\Wu  D  W“} 

[i?]ffWTt  =  {mapA^p  |  (p,  ff)  e  [.BjWTt} 

U{mapAvi/p  |  p  e  [.BjWTt  fl  Ww} 


Then  we  define 

[while  B  do  C'jWTt  = 

(lBjttWu;lCjWu)*;lBjffWu  U  (lB\tWu-  lC\Wuf 

This  dehnition  can  also  be  characterized  as  the  closure  of  the  greatest  fixed 
point  of  the  functional 

F(t)  =  mttWu  •  ICjWu  •  t  U  lB}ffWu, 

which  operates  on  the  complete  lattice  of  arbitrary  trace  sets  over  W,  ordered 
by  set  inclusion.  The  reason  for  taking  the  closure  only  after  constructing 
the  fixed  point,  rather  than  taking  the  fixed  point  of  the  closure-preserving 
version  of  the  functional  (which  uses  ;  rather  than  •),  is  shown  by  the  special 
case  of  the  loop  while  true  do  skip.  A  similar  issue  will  arise  later  in  a  more 
general  context,  in  our  treatment  of  recursion.  We  include  the  semantics  of 
while-loops  here  explicitly,  even  though  it  will  turn  out  to  be  a  familiar  special 
case  of  the  use  of  recursion,  because  of  the  simplicity  of  the  dehnition  and 
the  obvious  connection  with  operational  intuition.  Notice  also  that  taking 
the  least  fixed  point  of  the  above  functional  would  yield  only  the  finite  traces 
of  the  loop,  ignoring  any  potential  for  infinite  iteration. 

5.10  A-calculus 

The  semantic  clauses  for  identifiers,  abstraction,  and  application  are  stan¬ 
dard: 

[<-]WTt  =  ul 

[At  :  e.PjWuh  =  A  a  :  ^jW1  .iPjWfilwjhu  \  t  :  a) 

{P{Q)\Wu  =  lP}Wu(idw)(lQ}Wu), 
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where,  in  the  clause  for  abstraction,  h  ranges  over  morphisms  from  IU  to  IU'. 
The  clauses  for  pairing  and  projections  are  also  standard,  using  the  cartesian 
structure  of  the  functor  category: 

l(P0,P1)jWu  =  (lP0jWu,lP1jWu) 

[fst  PjWu  =  fst([PjIUu) 

[snd  PjWu  =  snd([PjIUu). 

5.11  Recursion 

It  is  possible  to  give  a  least-fixed-point  interpretation  for  recursion,  as  noted 
above  for  while-loops,  but  this  would  only  account  for  finite  traces  and  would 
therefore  preclude  reasoning  about  safety  and  liveness  properties  of  programs. 
Instead  we  make  use  of  greatest  fixed  points  to  obtain  a  model  containing 
both  finite  and  infinite  traces. 

We  know  from  Tarski’s  theorem  [Tar55]  that  every  monotone  function 
on  a  complete  lattice  has  a  greatest  fixed  point.  This  might  suggest  that 
we  begin  by  establishing  that  each  domain  [0JIU  is  a  complete  lattice.  Un¬ 
fortunately  this  is  not  generally  true.  Although  [commJIU  is  a  complete 
lattice  for  each  world  IU,  with  top  element  the  set  of  all  traces  over  IU, 
the  functions  [commjh  do  not  generally  preserve  top.  For  instance,  when 
h  =  (/,  Q)  :  W  — >■  W'  is  a  non-trivial  expansion  morphism,  so  that  Q  has 
more  than  one  equivalence  class, 

[comm]/j(top[comm]w)  =  [comm]%((lf  x  IU)00)) 

=  {a'  e  [commJIU'  |  map (Q)a'} 

7^  top|CommjM/,. 

As  a  consequence,  [comm  — >■  commJIU  is  not  a  complete  lattice,  because 
it  does  not  possess  a  top.  We  can  see  this  as  follows.  The  obvious  order- 
theoretic  candidate  for  top  of  [comm  — >  commJIU,  i.e.  the  family  top(  — ) 
such  that  for  all  h  :  IU  — >  IU', 

top(h)  =  A d!  :  [comm]Whtop[commj^,, 

lacks  the  naturality  property  required  for  membership  in  [comm  — >  commJIU, 
as  was  just  shown  above.  Furthermore,  the  obvious  natural  candidate  for 
tophood,  i.e.  the  family  top(-)  given  by 

top(h)  =  A d'  :  [commJIU'. [commJh(top[comm]^), 
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is  not  the  order-theoretic  top,  since  it  does  not  dominate  the  identity  family 
id (h)  =  A d!  :  [comm] W'  .d' . 

The  resolution  of  this  dilemma  is  suggested  by  the  operational  behavior 
of  the  command  rec  i.i\  this  command  simply  diverges,  without  ever  chang¬ 
ing  the  state,  no  matter  how  its  environment  tries  to  interfere.  Its  trace 
set  should  therefore  consist  of  the  infinite  stuttering  sequences.  This  trace 
set  is  not  the  greatest  fixed  point  of  the  identity  function  on  [comm] IT,  as 
might  be  suggested  by  the  syntactic  form  of  the  command.  Instead  it  can 
be  characterized  as  (the  closure  of)  the  greatest  fixed  point  of  the  monotone 
functional  A c.{(w}w)a  \  w  e  IT  &  a  e  c},  operating  on  the  complete  lattice 
fp((IT  X  IT)00)  of  arbitrary  trace  sets;  intuitively,  the  extra  initial  stutter 
mimics  an  operational  step  in  which  the  recursion  is  unwound.  It  is  easy 
to  prove  that  the  greatest  fixed  point  of  this  functional  does  indeed  consist 
of  the  infinite  stuttering  sequences.  Clearly  this  trace  set  is  also  closed  un¬ 
der  stuttering  and  mumbling,  so  belongs  to  the  sublattice  p^  ((W  X  IT)00). 
Moreover,  when  h  :  IT  — >■  W1  we  have 

[comm]h([rec  t.t\Wu) 

=  [comm]h({(rc,  w)  \  w  e  IT}10) 

=  {(wfw1)  |  w'  €  W'Y 
=  [rec  ix]IT/([7r]h'u), 

so  that  [rec  l.l\  is  indeed  a  natural  transformation. 

A  similar  argument  can  be  given  for  a  recursive  phrase  rec  t.P  at  general 
type  9.  The  key  to  a  general  definition  of  [rec  t.P] IT  is  to  embed  each  [0]IT 
in  a  suitable  lattice  [0]IT,  and  generalize  the  insertion  of  an  initial  stutter, 
and  the  notion  of  closure,  to  all  phrase  types.  For  each  type  9  we  define  a 
functor  [0]  from  the  category  of  worlds  to  the  category  of  complete  lattices 
and  monotone  functions;  in  essence,  [0]  is  like  [0]  as  defined  before,  except 
that  we  relax  the  naturality  requirements  at  arrow  types  and  the  closure 
requirements  at  ground  types.  For  each  type  9  we  define  a  natural  transfor¬ 
mation  stutfl  from  [0]  to  [0];  at  ground  types  this  inserts  a  stuttering  step 
at  the  beginning  of  all  traces  in  a  trace  set,  and  at  arrow  types  it  produces 
a  procedure  meaning  that  induces  an  extra  initial  stuttering  step  at  result 
type,  whenever  the  proecedure  is  called.  We  then  define  a  natural  transfor¬ 
mation  closg  from  [0]  to  [0]  that  restores  closure.  The  semantic  definitions 
given  earlier,  modified  to  omit  the  use  of  closure,  serve  to  define  a  semantic 
function  [P]  such  that,  when  tt  \~  P  :  9  and  u  e  [7t]IT,  we  have  [P]ITu  e  [0]IT. 
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In  particular,  when  7r,i  :  9  b  P  :  6  and  u  e  [yrjkh,  the  function  F(p )  = 
stuteW([P]W(u  |  l  :  p)  is  a  monotone  map  on  the  complete  lattice  [^kkh  Its 
greatest  fixed  point,  which  we  denote  by  up.F(p)}  is  in  [^Jkh,  and  the  closure 
of  this  fixed  point  is  in  [^Jkkh  We  therefore  take 

[rec  l.PJWu  =  closgW(isp.stutgW([P]W(u  |  <■  :  p))- 

This  dehnition  is  natural,  in  that  [0]/i([rec  l.PJWu)  =  [rec  i.P]kkr/([7r]h'u). 
Stuttering  plays  a  crucial  role  in  the  proof  of  this  result.  Indeed,  in  the 
absence  of  stutgkh  naturality  would  fail,  as  seen  when  P  is  l.  The  Appendix 
contains  further  details. 

Note  that  this  semantic  dehnition  does  indeed  provide  the  command 
rec  l.l  with  the  desired  denotation,  i.e. 

[rec  l.l  :  comm] II’  =  {(w,w)  \  w  e  W j-A 

Moreover,  the  analogous  recursion  at  procedure  type  comm  — >  comm  de¬ 
notes  the  family 

A h  :  W  ^  W' .\a  :  [comm]II/r/.{('u/,  wr)  \  w'  e 

corresponding  to  a  procedure  that  causes  divergence  whenever  called.  Again 
this  conforms  with  our  operational  expectations. 

It  is  also  easy  to  verify  that  the  meaning  given  to 

rec  c.if  B  then  C;c  else  skip 

coincides  with  the  semantics  given  earlier  for  the  loop  while  B  do  (7,  pro¬ 
vided  c  ^FV(C'). 


6  Reasoning  about  program  behavior 

The  semantics  validates  a  number  of  natural  laws  of  program  equivalence, 
including  (when  l  does  not  occur  free  in  P')\ 

new[r]  l  in  P'  =  P' 

new[r]  l  in  (P||P')  =  (new[r]  l  in  P) ||P' 
new[r]  l  in  (P;  Pr)  =  (new[r]  l  in  P);  P' . 
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Similarly  the  semantics  validates  laws  such  as  the  following,  which  show  that 
the  order  in  which  local  variables  are  declared  is  irrelevant: 

new[ri]  t\  in  new[r2]  r2  in  P  =  new[r2]  t2  in  new[ri]  t\  in  P 

new[ri]  t\  in  new[r2]  t2  in  P (11,12)  =  new[ri]  t\  in  new[r2]  t2  in  P(t2,t  1) 

These  laws  amount  to  naturality  (for  a  phrase  P  of  the  appropriate  type) 
with  respect  to  the  natural  isomorphism  of  worlds  (W  X  VTl)  X  VT2  and  (W  X 
VT2)  X  VTl,  this  isomorphism  being  a  composition  of  suitably  chosen  swap  and 
assoc  morphisms  as  discussed  earlier. 

The  semantics  also  validates  familiar  laws  of  functional  programming, 
such  as  /3-equivalence  and  the  usual  recursion  law: 

(\t  :  O.P)(Q)  =  P[Q/l\ 
rec  l.P  =  P[rec  i.P/i ], 

where  P\Q/i]  is  the  phrase  obtained  by  replacing  every  free  occurrence  of  t 
in  P  by  Q,  with  renaming  when  necessary  to  avoid  capture. 

Similarly  the  model  validates  laws  relating  the  conditional  construct  with 
functional  abstraction  and  application: 

(if  B  then  Pi  else  P2)(Q)  =  if  B  then  P\(Q)  else  P2(Q) 

A l  :  9. if  B  then  Pi  else  P2  =  if  B  then  A t  :  6. Pi  else  A t  :  O.P2  if  t  ^FV(P), 

and  the  semantics  validates  laws  familiar  from  imperative  programming,  such 
as 


(if  B  then  Xi  else  X2):=E  =  if  B  then  Xi :=E  else  X2:=E 
while  B  do  C  =  if  B  then  C]  while  B  do  C  else  skip 
skip  1 1  (7  =  (7 1 1  skip  =  (7 
skip;  (7  =  (7;  skip  =  (7 

Our  semantics  also  equates  while  true  do  skip  and  await  false  then  skip, 

because  of  our  busy-wait  interpretation  of  conditional  atomic  actions. 

The  semantics  supports  compositional  reasoning  about  safety  and  liveness 
properties.  For  instance,  it  is  possible  to  show  the  correctness  of  the  mutual 
exclusion  procedure  discussed  earlier,  and  to  show  the  equivalence  of  the 
workers  and  barrier  procedures. 

For  a  more  complex  example  involving  parallelism,  consider  the  following 
implementation  of  a  synchronization  “object”,  exploiting  two  local  boolean 
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variables  and  a  pair  of  procedures  which  can  be  invoked  to  set  up  synchro¬ 
nization: 


boolean  flag0,  flagi; 

procedure  synch(x,  y);  (x:=true;  await  y;  y:=false); 
flag0:  =  false;  //ayi:=false; 

P(synch(flag0 ,  flagi),  synch(flagi ,  flag0 )) 

Here  P  is  a  free  identifier  of  type  (comm  X  comm  — >■  comm).  Since  P  is  a 
non-local  identifier,  the  only  way  for  this  phrase  to  access  the  flag  variables  is 
by  one  of  the  two  pre-packaged  ways  to  call  synch.  Intuitively,  the  behavior 
of  this  phrase  should  remain  identical  if  we  use  a  “dualized”  implementation 
of  the  flags,  interchanging  the  roles  of  the  two  truth  values.  Thus,  this  phrase 
should  be  equivalent  to 

boolean  flag0,  flagi; 

procedure  synch(x,y);  (x:=false;  await  — ;  y:=true); 
flag0:= true;  flagi\=true; 

P(synch(flag0 ,  flagi),  synch(  flagi,  flag0 )) 

This  is  an  example  of  the  principle  of  representation  independence.  Our  se¬ 
mantics  for  Parallel  Algol  validates  this  equivalence,  by  virtue  of  the  existence 
of  a  suitable  isomorphism  of  worlds  that  relates  the  two  implementations. 
To  be  specific,  for  all  worlds  W  there  is  an  isomorphism  dual  :  W  X  Vb00i  — t 
W  X  Vbool  involving  the  function  X(w,  b).(w ,  ->&), equipped  with  the  universal 
equivalence  relation  on  lb  X  Hoo/-  Naturality  of  the  meaning  of  P  with  re¬ 
spect  to  this  morphism  is  enough  to  establish  the  desired  equivalence.  Note 
that  this  is  an  equivalence  between  two  terms  containing  a  free  identifier.  In 
essence,  no  matter  how  the  “rest”  of  the  program  is  filled  in,  provided  it  is 
only  allowed  access  to  the  two  flags  by  calling  one  of  the  supplied  procedures, 
the  two  implementations  are  indistinguishable.  For  example,  if  we  substitute 
for  P  the  procedure 

A  (left,  right),  (while  true  do  (c0;  left)  ||  while  true  do  (ci ;  right)) 

we  recover  the  barrier  synchronization  example  discussed  earlier. 

Although  the  above  semantics  validates  many  laws  of  program  equivalence 
related  to  locality  in  parallel  programming,  there  remain  equivalences  for 
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which  we  can  give  convincing  informal  justification,  yet  which  are  not  valid 
in  this  model.  Consider  for  example  the  following  phrase: 

newfint]  x  in  (A:=0;  P(x:=x  +  1)), 

where  P  is  a  free  identifier  of  type  comm  — >■  comm.  No  matter  how  P 
is  instantiated  this  should  have  the  same  effect  as  P(skip).  As  observed 
by  O’Hearn  and  Tennent,  this  equivalence  holds  for  the  sequential  language 
yet  is  not  validated  by  the  sequential  possible  worlds  semantics.  Indeed,  the 
equivalence  should  still  hold  in  the  parallel  setting,  because  the  two  phrases 
obviously  treat  the  non-local  part  of  the  state  the  same  way.  This  argu¬ 
ment  may  be  formalized  by  establishing  an  invariant  relationship  between 
the  states  arising  during  executions  of  the  two  phrases;  however,  the  preser¬ 
vation  of  this  invariant  does  not  follow  immediately  from  naturality  of  [P], 
Similarly,  and  exactly  as  in  the  Reynolds-Oles  semantics  of  Idealized 
Algol,  our  semantics  typically  fails  to  support  proofs  of  representation  in¬ 
dependence  involving  non-isomorphic  representations.  This  is  illustrated  by 
the  following  example,  adapted  from  [OT95].  Consider  an  abstract  “switch” 
object,  initially  “off”,  with  two  capabilities  which  can  be  thought  of  as  a 
method  for  turning  the  switch  “on”  and  a  test  to  see  if  the  switch  has  been 
turned  on.  One  implementation  uses  a  boolean  variable: 

boolean  z; 

procedure  flick ;  (A:=true); 

procedure  on;  return  z; 
z:= false; 

P(flick ,  on) 

Another  implementation  uses  an  integer  variable,  and  treats  all  positive  in¬ 
tegers  as  “on”,  zero  as  “off”: 

integer  z; 

procedure  flick;  (z:=z  +  1); 

procedure  on;  return  (z  >  0); 

z:=0; 

P [flick ,  on) 

Intuitively,  even  if  P  is  allowed  to  use  parallelism,  and  even  though  assign¬ 
ment  is  not  assumed  to  be  atomic,  these  two  phrases  will  always  be  equiv¬ 
alent.  Yet  the  possible  worlds  semantics  fails  to  validate  this  equivalence. 
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Informally  an  argument  supporting  the  equivalence  can  be  given,  by  estab¬ 
lishing  an  invariant  relation  between  the  states  produced  during  execution 
of  the  two  phrases.  The  problem  is  that  naturality  is  not  a  sufficiently  strin¬ 
gent  requirement  on  phrase  denotations,  since  it  does  not  imply  the  kind  of 
relation-preserving  properties  necessary  to  justify  equivalences  such  as  this. 

7  Relational  parametricity 

In  response  to  this  inadequacy  O’Hearn  and  Tennent  [OT95]  formulated  a 
more  refined  semantics  for  Idealized  Algol  embodying  “relational  parametric¬ 
ity”,  in  which  values  of  procedure  type  are  constrained  by  certain  parametric¬ 
ity  properties  that  guarantee  good  behavior.  This  parametric  model  of  Ideal¬ 
ized  Algol  then  supports  relational  reasoning  of  the  kind  needed  to  establish 
program  equivalences  based  on  representation  independence.  We  will  show 
how  to  generalize  their  approach  to  the  shared-variable  setting.  We  first 
summarize  some  background  material  from  [OT95]. 

7.1  Relations  between  worlds 

We  introduce  a  category  whose  objects  are  relations  R  between  worlds;  we 
write  R  :  W  yy  W'  or  R  C  W  X  W' .  For  each  world  W  we  let  A^  :  W  yy  W 
denote  the  identity  relation  on  W,  i.e.  A w  =  {(u>,u>)  |  w  e  W}. 

A  morphism  from  R  :  Wo  yy  W\  to  S  :  X0  yy  X\  is  a  pair  (h0  :  Wo  — >■ 
X0,  hi  :  W\  — >  Ai)  of  morphisms  in  W,  such  that,  letting  h0  =  (/o,  Q o)  and 

hi  =  (/i,  Qi), 

•  for  all  (xq^Xi)  e  S,  (fo%o,  fi%i)  e  R', 

•  for  all  (xq^xi)  e  S,  x'0  e  X0  and  x[  e  Xi,  if  (xq,x0)  e  Q o  &  (x^xi)  e  Qi 
then  (Aq,  x'i)  e  S . 

Loosely,  we  refer  to  these  properties  as  saying  that  h0  and  hi  respect  R  and 
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S.  We  represent  such  a  morphism  in  the  following  diagrammatic  form: 

W0—^X0 

R  S 

w1  ►  w 

hi 

The  identity  morphism  from  R  to  R  corresponds  to  the  diagram 

R  R 

W!—, - -  Wi 

idmi 

Composition  in  this  category  of  relations  is  defined  in  the  obvious  way, 
building  on  composition  in  the  category  of  worlds:  when  (h0,hi)  :  R  yy 
R'  and  (h^hf)  :  R'  yy  R"  the  composite  morphism  is  (h0,  hi);  (hg,  h[)  = 
(ho i  hg, 

7.2  Parametric  functors  and  natural  transformations 

For  each  type  6  we  define  a  parametric  functor  [0]  from  worlds  to  domains, 
i.e.  a  functor  [0]  from  W  to  D  equipped  with  an  action  on  relations,  such 
that: 

•  whenever  R  :  1Tb  ty  Tj,  [0]i2  :  [hJlTb  yy  [[61] Wb ; 

•  for  all  W,  {OjAw  =  A^jw] 

•  whenever 

ITo  — — — ■-  A0 
R  S 

Wl  - T - -Xi 
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holds  then  so  does 


Mfl  I«]i' 

by  which  we  mean  that 

(cMi)  e  p}R  =>  (lO}h0d0,lO}hidi)  elOJS. 

The  hrst  two  conditions  above  say  that  [0]  constitutes  a  “relator”  [MS93, 
AJ91].  The  last  condition  is  a  parametricity  constraint. 

Each  well-typed  phrase  denotes  a  parametric  natural  transformation  [P] 
between  the  parametric  functors  [7r]  and  [0],  i.e.  a  natural  transformation 
obeying  the  following  parametricity  constraints:  whenever  R  :  Wo  fy  Wi, 
(uo,Ui)  e  |7r ] R  =>■  ([PjWoito,  |P]WiUi)  e  [0]P,  as  expressed  by  the  follow¬ 
ing  diagram: 

MWo  lPWo  ►  lOjWo 

HR  MR 

[P]Wl  ' 

Parametric  natural  transformations  compose  in  the  usual  pointwise  man¬ 
ner.  The  category  having  all  parametric  functors  from  W  to  D  as  ob¬ 
jects,  and  all  parametric  natural  transformations  as  morphisms,  is  cartesian 
closed  [OT95]. 

Hence  we  may  use  the  cartesian  closed  structure  of  this  category  in  a 
perfectly  standard  way  to  interpret  the  A-calculus  fragment  of  our  language, 
exactly  along  the  lines  developed  in  [OT95].  To  adapt  these  ideas  to  the 
parallel  setting,  we  must  give  trace-theoretic  interpretations  to  types  comm, 
var[r],  and  exp[r].  We  give  details  only  comm  and  exp[r],  the  definitions 
for  var[r]  then  being  derivable. 
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7.3  Commands 

We  define  [comm]W  and  [commj/i  as  before.  To  define  [commji?  : 
[comm]  Wo  [commjWi,  when  R  :  Wo  Wi,  let  map(i?)  be  the  obvious 
extension  of  R  to  traces  of  the  same  length,  so  that  map(i?)  C  W£°  X  W^°. 
We  then  define 

(c0,  ci)  e  [commji?  <=> 

(Va0  e  c0.  V/?i.  (map fst  a0,  pi)  e  map(i?)  => 

3aq  e  Ci.  map  fst  aq  =  pi  &  (mapsnda0,  mapsndaq)  e  map(i?)) 

&  (Vaq  e  ci.  V/?o-  [po,  map  fst  aq)  e  map(i?)  => 

3a0  e  c0.  map  fst  a0  =  po  &  (mapsnda0,  mapsndaq)  e  map(i?)). 

This  is  intended  to  capture  the  following  intuition:  [commji?  relates  two 
command  meanings  iff,  whenever  started  in  states  related  by  R  and  inter¬ 
rupted  in  related  ways,  the  commands  respond  in  related  ways.  This,  in¬ 
formally,  expresses  the  idea  that  a  trace  set  represents  a  (nondeterministic) 
state-transformation  “extended  in  time”. 

It  is  straightforward  to  verify  that  [comm]  is  indeed  a  parametric  functor. 
In  particular,  since  mapAq/  is  the  identity  relation  on  W°° ,  and  two  traces 
a0  and  a i  over  W  xW  are  equal  iff  map  fst  a0  =  map  fst  a i  and  map  snd  a0  = 
mapsndaq,  it  is  easy  to  see  that 

(c0,ci)  e  [comm]  Aq/  c0  =  cl5 

as  required.  Now  suppose  (h0}hi)  :  R  — >■  S  and  (c0,ci)  e  [comm]i?.  We 
must  show  that 


([comm]h0c0,  [commjhici)  e  [comm] S'. 

This  follows  by  a  routine  calculation,  using  the  fact  that  the  morphisms  h0 
and  hi  respect  the  relations  R  and  S. 

As  an  example  to  illustrate  this  definition,  suppose  x  is  a  variable  of  data 
type  int  corresponding  to  the  V{nt- component  in  states  of  shape  W  X  V{nt. 
Let  u  be  a  corresponding  environment.  Let  c0  and  Ci  be  the  trace  sets 
corresponding  to  x:=x  +  1  and  x:=x  —  1,  respectively,  i.e. 

c0  =  {((u;0,  c0),  (u;0,  c0))((cq,  Cl),  (cq,  c0  +  1))  |  w0,  cq  e  W  k  c0,  Ci  e  Vmt}^ 
Cl  =  {((tc0,  Co),  (u;0,  c0))((cq,  ci),  (cq,  c0  -  1))  |  w0,  wi  e  W  k  c0,  ci  e  Vmt}^ 
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Let  R  be  the  relation  on  W  X  Vint  given  by 

(w,  v)R(w' ,  vr)  -<=>■  w  =  w'  k  v  =  —v'. 

Then  (c0,ci)  e  [comm]!?. 

As  a  further  example,  let  c  e  [commjlh  and  define  the  relation  R  :  W  fy 
W  x  V  by 

wR(w\v)  -<=>■  w  =  w  . 

Then  (c,  [comm](—  x  V)c )  e  [commji?. 

Note  also  that  the  above  definition  of  [commji?  makes  sense  even  when 
applied  to  arbitrary  trace  sets,  i.e.  closure  is  not  crucial  for  the  definition. 
Clearly  we  have 


(c0,ci)  e  [commji?  =>  (c 


t 

0  5  ' 


e  [commji?. 


We  also  have 

(po,qo)  e  [commji?  k  (pi,qi)  e  [comm]i?  =y  (po',Pi,  <?oWi)  e  [comm]i? 
(po,qo)  e  [commji?  k  (pi,qi)  e  [comm]i?  =y  (po\\pi,  qo\\qi)  e  [comm]i? 

so  that  sequential  and  parallel  composition  (and  hence  also  iteration)  interact 
smoothly  with  the  action  of  [comm]  on  relations. 


7.4  Expressions 

For  expressions,  we  define  [exp  [r]  JIT"  and  [exp[r]]h  as  before.  When  R  : 
Wq  W\  we  define 


(e0,ei)  €  [exp[r]]i? 

(Vp0  e  e0  C  Ww.  Vpi.  (p0,Pi)  e  map(i?)  => 
k  V(p0,  v)  e  e0.  Vpi.  (p0,  pi)  e  map(i?)  => 
k  (V/?i  e  ei  fl  Ww .  V/90-  (/?o,/?i)  e  map(i?)  => 
kV(p1,v)ee1.  Vp0.  (p0,pi)  e  map(i?)  => 


Pi  e  ei 
(Pi,v)  e  ei) 
Po  e  e0 
(pow)  e  e0) 


Intuitively,  two  expression  meanings  are  related  if  when  evaluated  in  related 
ways  they  either  terminate  together  with  the  same  answer,  or  both  fail  to 
terminate. 
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As  an  example,  suppose  again  that  x  is  a  variable  of  type  int  correspond¬ 
ing  to  the  Vint  component  in  states  of  shape  W  X  V{nt.  Using  the  same  relation 
#  as  above,  so  that 

(re,  v)R(w'}  v')  -<=>■  w  =  w  &  v  =  — U, 
and  assuming  that  u  is  a  suitable  environment,  we  have 

(|x](lU  x  Vmt)u,  l~xj(W  x  Vmt)u)  e  [exp [int]]#. 

7.5  Semantic  definitions 

The  possible  worlds  semantics  given  above  can  be  adapted  immediately  to  the 
parametric  setting,  provided  we  show  that  each  phrase  denotes  a  parametric 
natural  transformation.  This  is  straightforward,  using  structural  induction. 
For  instance,  it  is  easy  to  see  that  when  R  :  W  fy  W\  parametricity  of 
[skip]  amounts  to  the  fact  that 

({(w,w)  |  w  e  W}^ ,  {(w',w')  |  w'  e  W'}^)  e  [comm]#, 

which  holds  obviously.  Similarly,  for  the  parallel  construct  the  parametricity 
of  [#i||#2]  follows  from  parametricity  of  [#i]  and  [#2],  since  interleaving  of 
trace  sets  respects  [comm]#.  Recursion  requires  a  careful  argument  based 
on  co-inductive  properties  of  greatest  fixed  points. 

To  show  the  parametricity  of  recursion,  let  tt ,  l:6  b  P  :  6  and  assume  that 
P  denotes  a  parametric  natural  transformation.  We  need  to  show  that  for 
all  #  :  Wo  fy  Wi,  whenever  (u0,u  1)  e  [m] #, 

([rec  l.PJWoUo,  [rec  t.PjWxUx)  e  [0]#. 

This  may  be  achieved  by  means  of  a  temporary  detour  using  the  parametric 
analogues  of  the  functors  [0]  used  earlier.  Let  F0  and  F\  be  given  by: 

F0(po)  =  stuteWo(lP}Wo(u0  |  t  :  p0)), 

Fi(pi)  =  stut0LUi([#]LUi(ui  |  l  :  pi)). 

By  assumption  on  P,  whenever  (p0, pi)  e  [0]#  it  follows  that  (F0(p0)}  Fi(pi))  e 
[0]#.  Consequently  the  functional  F  :  [9]Wo  X  [9]W\  — >  [9]Wo  X  [9]W\  given 
by 

F{po,Pi)  =  {Fo{po),  F^pi)) 
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is  a  monotone  function  on  a  complete  lattice,  and  maps  [0]#  into  itself.  One 
can  then  show  that  the  closure  of  its  greatest  fixed  point  is  in  [0]#,  and 
coincides  with  the  pair  ([rec  l.P^WqUq,  [rec  i.PjWiUi). 

7.6  Examples  of  reasoning 

In  addition  to  the  laws  and  examples  listed  earlier,  the  relationally  parametric 
semantics  also  validates  the  problematic  equivalence  discussed  above: 

newfint]  t  in  (h:=0;  P(r.=i-\-  1))  =  P(skip), 

where  P  is  a  free  identifier  of  type  comm  — >■  comm.  To  prove  this,  one 
can  use  a  relation  of  form  R  :  W  fy  W  X  Vhu,  given  by  wR(wl}v )  -<=>■ 

w  =  w'eWhve  V{nt.  It  is  easy  to  show  that,  when  u  is  a  suitable 
environment  in  [[tt]  TT7"  and  u1  binds  x  to  the  “fresh  variable”  represented  by 
the  Vint  component  of  state,  we  get 

([skip] ITT,  \l\=l  +  1]( W  x  Vmt)u)  e  [comm]#. 

The  desired  result  follows  by  parametricity  of  [#]. 

Similarly,  the  parametric  semantics  validates  the  following  equivalence, 

new[int]  l  in  (<,:  =  1;  #(<,))  =  P(l), 

when  P  is  a  free  identiher  of  type  exp[int]  — >■  comm. 

Recall  that  we  showed  earlier  that,  when  u  is  a  suitable  environment  in 
which  x  denotes  the  Vint  component  of  states  of  shape  IT"  X  I Tnt,  and  R  is 
the  relation 

(re,  v)R(w'}  vr)  -i==?  w  =  w  &  v  =  —v\ 

we  have 

(lx:=x  +  lj(W  x  Vint)u,  \x\=x  -  lj(W  x  Vrnt)u)  e  [comm]# 

([x](ITr  x  Vint)u,  \-x\(W  x  Vmt)u)  e  [exp[int]]# 

It  follows  by  parametricity  of  [#]  that 

new[int]  x  in  (x:=0;  P(x:=x  +  1))  =  new[int]  x  in  (x:=0;  P(x:=x  —  1)), 
whenever  P  is  a  free  identiher  of  type  comm  — >  comm.  Similarly, 
new[int]  x  in  (x:=0;  P(x,  x:=x+l))  =  new[int]  x  in  (x:=0;  P(x,  x:=x  —  l)) 
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when  P  is  a  free  identifier  of  type  (expfint]  X  comm  — >■  comm).  This  exam¬ 
ple  shows  the  equivalence  of  two  implementations  of  an  abstract  “counter”. 
This  was  shown  for  the  sequential  language  by  O’Hearn  and  Tennent[OT95]. 

To  illustrate  the  subtle  differences  between  sequential  and  parallel  set¬ 
tings,  consider  the  following  phrase 

newfint]  x  in  (x:=0;  P(x/ 2,  x:=x-\-2)), 

which  amounts  to  yet  another  representation  for  an  abstract  counter,  and 
is  equivalent  to  both  versions  discussed  above.  In  sequential  Algol  it  is  also 
equivalent  to 

newfint]  x  in  (x:=0;  P(x/ 2,  x:=x  +  1;  x:=x  +  1)), 

but  this  equivalence  fails  in  the  parallel  model.  The  reason  lies  in  the  in¬ 
equivalence  of  x:=x  +  1;  x:=x  +  1  and  x:=x  +  2,  and  the  ability,  by  looking 
at  the  value  of  x  in  the  intermediate  state,  to  detect  the  difference. 

Despite  this  example,  the  phrases 

newfint]  x  in  (x:=0;  P(x:=x  +  1;  x:=x  +  1)) 


and 

newfint]  x  in  (x:=0;  P(x:=x  +  2)) 

are  equivalent  in  sequential  Algol  and  in  parallel  Algol,  even  though  x:=x  + 
l]x\=x  +  1  and  x:=x  +  2  are  not  semantically  equivalent  in  the  parallel 
model;  no  matter  how  P  uses  its  argument,  the  only  differences  involve  the 
local  variable,  whose  value  is  ignored.  To  establish  the  equivalence,  one  can 
use  the  relation  R  :  W  fy  W  X  V;nt  given  by  (re,  (w1 }  z))  e  R  -i==z  w  =  w' . 

In  contrast  the  phrases 

newfint]  x  in 

(A:=0;  P(x:=x  +  1;  x:=x  +  1); 
if  even(x)  then  diverge  else  skip) 


and 


newfint]  x  in 

(A:=0;  P(x:=x  +  2); 

if  even(x)  then  diverge  else  skip), 
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where  diverge  is  a  divergent  command,  are  equivalent  in  sequential  but  not 
in  parallel  Algol.  For  example,  if  P  is  Ac.c||c,  then  the  first  phrase  has  an 
execution  in  which  each  argument  thread  reads  x  as  0,  then  each  sets  x  to 
1,  and  then  the  two  final  increments  occur  sequentially,  leaving  x  with  the 
value  3,  causing  termination;  the  other  phrase,  however,  must  diverge.  The 
relation  (u;,  (u/,  z))  e  R  -<=>■  w  =  w'  &  even(z)  works  for  the  sequential 
model  but  not  for  the  parallel. 

Indeed,  in  sequential  Algol,  the  phrase 

newfint]  x  in 

(A:=0;  P(x:=x  +  2); 

if  even(x)  then  diverge  else  skip) 

discussed  above  is  equivalent  to  diverge.  This  is  because  the  semantics  of  a 
command  is  taken  to  be  a  state  transformation,  and  matter  how  many  times 
P  calls  its  argument  the  value  of  the  local  variable  x  stays  even,  causing  the 
phrase  to  diverge.  This  equivalence  fails  for  parallel  Algol,  because  our  se¬ 
mantics  “observes”  intermediate  states  during  execution.  Instead  the  phrase 
is  equivalent  to  P(skip);  diverge. 

In  the  O’Hearn-Tennent  model  if  x  =  0  then  f(x)  else  1  and  if  x  = 

0  then  /( 0)  else  1  fail  to  be  semantically  equivalent,  because  the  model  in¬ 
cludes  procedure  meanings  that  violate  the  irreversibility  of  state  change  [OT95] , 
yet  the  phrases  behave  identically  in  all  sequential  contexts.  In  contrast  the 
equivalence  should  (and  does)  fail  in  our  parallel  model,  because  expression 
evaluation  may  not  be  atomic.  For  example,  if  /  is  A y.y  and  the  phrase  is 
evaluated  in  parallel  with  a  command  that  may  change  the  value  of  x  from 
0  to  2,  the  first  case  might  yield  the  result  2. 

The  two  isomorphic  implementations  of  synchronizers  discussed  earlier: 

boolean  flagi  =  false,  flag?,  =  false; 

procedure  synch(x,y)  =  (x:=true;  await  y;  y:=false) 

P(synch(flag1,  flag2),  synch(flag2 ,  flagi)) 

and  the  dualized  version,  in  which  the  roles  of  the  two  truth  values  are 
reversed,  can  also  be  proved  equivalent  by  an  easy  argument  involving  para- 
metricity.  Let  X  =  (W  X  Vb00i)  x  Hoo/,  and  define  the  relation  R  :  X  fy  X 
by 


((w,b1),b2)R((w,,b,1),b,2] 


w  =  w'  &  bi  =  ->b\  &  b2  =  — 'Ah 
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The  crucial  step  is  to  show  that,  when  u  is  an  environment  binding  flagi 
and  flag2  to  variables  corresponding  to  the  intended  components  of  state, 

(lsynch(flagi}  flag2)jXu}  \synch(flag2,  flagi)\Xu)  e  [commjfl. 

The  desired  equivalence  then  follows  straightforwardly. 

The  two  non-isomorphic  implementations  of  a  “switch”,  discussed  earlier, 
can  be  proved  equivalent  using  the  relation  R  :  W  X  Vb00i  ^  W  X  V{nt  given 
by 

(re,  b)R(w' ,  v)  -<=>■  w  =  w'  &  b  =  (v  >  0). 


8  Conclusions 

We  have  shown  how  to  give  semantic  models  for  a  parallel  Algol-like  lan¬ 
guage.  The  semantic  models  combine  ideas  from  the  theory  of  sequential 
Algol  (possible  worlds,  relational  parametricity)  with  ideas  from  the  theory 
of  shared- variable  parallelism  (transition  traces)  in  a  rather  appealing  manner 
which,  we  believe,  brings  out  the  sense  in  which  shared-variable  parallelism 
and  call-by-name  procedures  are  orthogonal.  We  have  shown  that  certain 
laws  of  program  equivalence  familiar  from  shared-variable  programming  re¬ 
main  valid  when  the  language  is  expanded  to  include  procedures;  and  certain 
laws  of  equivalence  familiar  from  functional  programming  remain  valid  when 
parallelism  is  added.  Although  we  do  not  claim  a  full  conservative  extension 
property,  these  results  suggest  that  our  language  Parallel  Algol  combines 
functional  and  shared-variable  programming  styles  in  a  disciplined  and  well- 
behaved  manner.  We  have  discussed  a  variety  of  examples  intended  to  show 
the  utility  of  the  language  and  the  ability  of  our  semantics  to  support  rigor¬ 
ous  arguments  about  the  correctness  properties  of  programs.  Our  parametric 
model  offers  a  formal  and  general  way  to  reason  about  “concurrent  objects”. 

Our  semantics  inherit  both  the  advantages  and  limitations  of  the  corre¬ 
sponding  sequential  models  and  of  the  trace  model  for  the  simple  shared- 
variable  language.  At  ground  type  comm  we  retain  the  analogue  of  the  full 
abstraction  properties  of  [Bro93]:  two  commands  have  the  same  meaning  if 
and  only  if  they  may  be  interchanged  in  all  contexts  without  affecting  the 
behavior  of  the  overall  program.  The  extra  discriminatory  power  provided 
by  the  A-calculus  facilities  does  not  affect  this.  However,  like  their  sequen¬ 
tial  forebears,  our  models  still  include  procedure  values  that  violate  the  ir- 
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reversibility  of  state  change  [OR95],  preventing  full  abstraction  at  higher 
types.  Recent  work  of  Reddy  [Red96],  and  of  O’Hearn  and  Reynolds  [OR95], 
incorporating  ideas  from  linear  logic,  appears  to  handle  irreversibility  for 
sequential  Algol;  we  conjecture  that  similar  ideas  may  also  work  for  the  par¬ 
allel  language,  with  suitable  generalization;  this  will  be  the  topic  of  further 
research. 
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10  Appendix:  Naturality  of  recursion 

Throughout  this  Appendix  suppose  7r,i  :  9  b  P  :  9. 

With  each  phrase  type  9  we  associate  a  functor  [0]  from  the  category  of 
worlds  to  the  category  of  complete  lattices  and  monotone  functions,  defined 
by  induction  on  9: 

[comm]  IT  =  p((W  x  W )°°) 

[commjh  =  \c.{a'  |  map(/  x  f  )a '  e  c  &  map (Q)a'} 

[exp[r]]!F  =  p((V+  x  K)  U  Ww) 

[exp[r]]h  =  Ae. {(/?',  v)  |  (map fp,  v)  e  e}  U  {p'  |  map f  p'  e  e  fl  W UJ} 

[0  x  9']  =  [9]  x  [O'] 

[9  -P  9'}W  =  {p(-)  I  Vh  :  w  -P  W'.p(h)  :  19\W'  -P  [i 9'}W '} 

[0  -P  9]hp  =  \ti  :  W'  -P  W".p(h;  h') 

Intuitively,  \9]W  is  like  without  the  closure  requirements  at  ground 

types  and  naturality  requirements  at  arrow  types.  Again  we  use  the  pointwise 
ordering  on  \9  — >■  9'}W .  For  each  type  9  and  morphism  h,  \9]h  is  continuous, 
and  19 jW  C  [9}W. 

We  define,  for  each  phrase  type  0,  a  natural  transformation  stutg  from  [0] 
to  [0],  embodying  what  it  means  to  insert  an  extra  stuttering  step  at  that 
type.  Again  the  definition  is  by  structural  induction  on  9: 

stutcommkFc  =  {(w,  w)a  \  w  e  W  &  a  e  c} 

stutexppjkFe  =  {(wp,  v)  \  w  e  W  &  (p,  v)  e  e}  U  {wp  \  w  e  W  &  p  e  e  fl  Ww} 

stut^x^/  =  stutg  x  stutg/ 

stut e^eiWp  =  \h  :  W  —?>  W' .stutgiW'  o  (ph) 

We  dehne  induction  on  0,  a  natural  transformation  close  from  [0]  to  [0]: 

closcommkFc  =  ct 

closexppjkhe  =  et 

clos0X0/  =  closg  x  close' 

clos g^giWp  =  A h  :  W  ^  W' .  close' W'  o  (ph) 

The  semantic  definitions  given  earlier  (minus  the  use  of  closure)  then  yield 
natural  transformations  [P]  from  [7r]  to  [0],  such  that  [P]WTt  =  c\os  gW  (\P]Wu) 
for  all  u  e  [[tt] TW.  This  may  be  shown  by  induction  on  the  proof  of  the  judge¬ 
ment  7r  h  P  :  9. 
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For  example,  for  sequential  composition  we  put  [Pi;  P2]Wu  =  ([Pi]  ITT)  ■ 
([ P2]Wu )  for  all  u  e  [m] VF".  When  u  e  [ttJW  we  then  get 

[Pi;P2]FT  =lP1jWu;lP2jWu 

=  ([Pi]H/T)t;  ([P2]Wu]^ 

=  {[Pi]Wu  ■  [P2]Wu) t 

=  [Pi;P2]Wn)t 

When  7r,  l  :  9  h  P  :  9}  and  u  e  [yrJkF,  the  function 

F  =  Air  :  [9]W.stuteW([P]W(u  \  t  :  x)) 

is  a  monotone  map  on  the  complete  lattice  [0]fF.  Its  greatest  fixed  point, 
which  we  denote  by  ux.F(x)}  is  in  [P] TW,  and  the  closure  of  this  fixed  point 
is  in  [^JkF. 

We  therefore  take 

[rec  l.PJWu  =  c\os qW (vx .sint qW ([P]W (u  \  l  :  xj). 

This  definition  is  natural,  in  that  [0]/i([rec  l.PJWu)  =  [rec  i.P]ITr/([7r]h'u). 

To  show  naturality,  let  h  :  W  — >  W'  and  let  F'  :  [9]W'  — >■  [9]W'  be  given 
by: 

F'  =  \x'  :  [0]Wr,.stut0Wr,([P]Wr([7r]/iu  |  l  :  x')). 

We  must  show  that  [9]h(uF)  =  vF' .  We  argue  as  follows. 

•  By  definition  of  P',  naturality  of  stutg,  naturality  of  P  (assumed  as 
induction  hypothesis),  and  the  fixed  point  property  of  P,  we  have: 

F'{[0]h{vF))  =  stut6W'{[P]W'{[^]hu  |  l  :  [9]h(uF))) 

=  stuteW' ([9]h([P]W'([TT ,  l  :  9]h(u  \  l  :  vF )))) 

=  [9]h(stut0W{[P]W{u  |  l  :  i/P))) 

=  [e]h(uF), 

so  that  [9]h(vF)  is  a  hxed  point  of  F' .  Hence  [9]h(vF)  P  vF' . 

•  For  the  converse  inequality,  i.e.  vF'  P  \9]h(uF)}  we  show  that  vF'  P 
\9]h( top[0]W),  from  which  the  result  follows  by  continuity  of  \9]h}  and 
the  fact  that  uF  is  equal  to  P^( top)  for  some  ordinal  (3.  We  sketch  the 
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proof,  focussing  on  the  most  difficult  case  (when  9  is  comm).  In  this 
case  we  need  to  show  that  every  trace  of  vF'  respects  (the  equivalence 
relation  of)  h.  To  prove  this  we  first  need  some  definitions.  Say  that  a 
value  p'  e  [commjlh'  respects  h  for  n  steps  if  each  trace  in  p'  respects 
the  equivalence  relation  of  h  for  its  first  n  steps.  We  will  also  say 
that  a  value  p'  in  [60  — >■  9i]W'  respects  h  for  n  steps  if,  for  all  h'  : 
W'  — >■  W" ,  and  all  a  e  [^oJIU",  if  a  respects  h]h'  for  n  steps  then 
so  does  p'h'a.  We  say  that  an  environment  u'  e  [m] T/W/  respects  h  for 
n  steps  if  for  all  t  e  dom(7r),  u\t)  respects  h  for  n  steps.  We  then 
prove,  by  induction  on  P ,  that  whenever  u'  respects  h  for  n  steps 
so  does  \P]W'u' .  It  follows  easily  that  when  u'  and  x'  respect  h  for 
n  steps,  then  stutcommM/r/([-P]ll/r/(^/  |  ^  :  x'))  respects  h  for  n  +  1 
steps.  Clearly,  when  u  e  [ttJW,  [7r]hn  respects  h  for  all  steps.  By  the 
fixed  point  property  of  vF'  and  the  dehnition  of  stutcomm,  the  hrst 
step  of  every  trace  in  vF'  is  a  stutter,  which  obviously  preserves  any 
equivalence  relation.  Hence,  vF'  respects  h  for  1  step.  Using  the  fixed 
point  property  of  vF'  again  one  can  then  show  by  an  easy  induction 
on  n  that  vF'  respects  h  for  all  steps,  as  required. 

This  proof  extends  to  cover  phrases  of  product  type,  arrow  type,  exp[r] 
and  var[r],  in  a  straightforward  manner. 
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